To attract more women, cybersecurity industry could drop macho jargon
The cybersecurity industry has a history of hostility toward women. To make the field more welcoming, female security pros recommend moving away from the aggressive language of combat and talking about protecting people instead.
Michelle Dennedy is accustomed to being the lone woman in the room. Not only is she working in male-dominated Silicon Valley, Ms. Dennedy has successfully ascended part of the tech world where women are especially scarce: cybersecurity.
Women make up less than 20 percent of the information security workforce, according to a 2014 Ponemon Institute study, and stories of women leaving the industry before rising through the ranks are commonplace.
The gender disparity, says Dennedy, chief privacy officer for Intel Security in Santa Clara, Calif., has consequences for the cybersecurity industry. “We pay a price for this lack of diversity,” Dennedy says. “We are not innovating as quickly as we need to be because there aren’t enough women in this field. Any time you have uniformity of thought, as you do in this field, you miss out on the most creative solutions or tactics.”
Several efforts are underway to support women in cybersecurity and encourage more female computer science students to pursue the field. Yet Dennedy and others say that really tipping the scales in favor of gender diversity will require the entire industry to talk differently about security.
Cybersecurity parlance often mirrors the language of combat and "taking down the bad guys," says Dennedy. Take, for instance, President Obama’s remarks at a cybersecurity summit at Stanford University last week, where he described cyberspace as the new “Wild West” and the government as the sheriff. But the field also relies on understanding human emotion, she says, which tends to come more naturally to women.
“Men and women are just socialized differently,” Dennedy says. “We approach problems from different perspectives because of how we were raised to see the world.”
For instance, Dennedy says she isn't driven by the thrill of battling invisible enemies over the Internet. It's far more personal for her: It's about protecting people’s identities.
After her first daughter was born in 2001, she realized her child’s life would be wrapped up in data. At the time, she was already working in privacy, and by searching a database of stolen identities, she discovered that her daughter’s Social Security number had been used 11 years before her birth to create fraudulent bank accounts.
“It was like she was born with a financial birth defect,” she says. “If we hadn’t known about this and taken care of it, it could have caused her so many tangible harms. It could have affected her background searches, her ability to get a phone, a school loan, a job or a home.”
Over the past 15 years, her passion for keeping personal identities safe has pushed her to the very top of her industry; she has held C-suite roles at Sun Microsystems, Oracle, and now Intel Security.
According to Rebecca Wright, a professor of computer security at Rutgers University, young women applying for cybersecurity programs in college often have similar reasons for pursuing this line of work.
“In their essays, they describe security and privacy as a way to help other people or their country,” she says. “The field matches their technical interest but they also see it as a way to do something meaningful in the world.”
Sexism in the classroom
For women just starting in the field, the adversarial language of attack and combat often alienates female students who otherwise may pursue careers in security.
“I talk to freshmen who are confused about what we do in security and privacy,” says Jessie Pease, a senior at California Polytechnic State University specializing in computer security. “There’s a misconception that we’re all hackers who sit in our basements drinking Mountain Dew and not showering. People think that knowing how to hack is a prerequisite to be in this field.”
Only 18 percent of computer science degrees are awarded to women; in the subfield of cybersecurity, that figure is less than 10 percent. This gender imbalance has also impacted women’s experience in the classroom.
Pease says she has had to deal with both subtle and overt hostility from men in her classes. “The security major has a reputation for being very technical and hard,” she says. “Male classmates just assume that girls are not capable of doing the work. The way they talk to us tends to be condescending.”
Male students have asked her if she even knows how to code. Her male lab partners have tried to take over entire projects because they worry that she will bring down their grades. They've implied that the only reason Pease has gotten a string of enviable internships at Cisco and Apple is because she is a woman and has benefited from affirmative action. She’s noticed some of her female classmates switched to majors where there is more gender balance, such as user interface or user experience.
Things are slowly beginning to change. Pease was the president of the Women in Software and Hardware club, where she has tried to make her field more attractive to women just starting college. She’s also spearheaded a Lean In Circle on her campus, where women and even a few progressive men gather to discuss ideas represented in Sheryl Sandberg's book "Lean In" and practical ways to deal with gender-related problems.
For instance, she’s developed strategies to confront colleagues or classmates who are being patronizing. (“Bring it up with him later in private,” she recommends. “And always frame it in terms of how you are feeling so he does not feel attacked.”) There are also scholarships available for women who are interested in degrees in cybersecurity. Pease herself received a grant funded, in part, by Hewlett-Packard as part of its Scholarships for Women Studying Information Security program.
New recruitment drive
In the workplace, efforts are also underway to support women in cybersecurity. Dennedy says that Intel Security has launched a $300 million diversity initiative to bring more women into the fold. She says that this investment is proof that gender diversity offers tangible benefits to the company. “The company does not just throw money around,” she says. “This is a Machiavellian move that signals to me that gender diversity is good for business.”
This initiative is just getting off the ground but Dennedy says it will involve making more deliberate efforts to recruit women, retaining them by better accommodating to their needs, and working to change workplace culture. Given that women currently make up less than one-fifth of cybersecurity professionals, it will take time for the industry to change, but Dennedy is hopeful that the new generation of women in the industry will have an easier time that she did.
To be sure, being a woman in such a deep-seated, male-dominated industry that can be overwhelming. Every year, for example, Dennedy goes to the RSA Conference, the flagship cybersecurity gathering, and finds herself lost in a sea of men. As she goes down the big escalator at the Moscone Center in San Francisco, where the event is held, she feels a thousand men ogling her simply because she is such an anomaly.
“One year, I was so annoyed at one man who was shamelessly staring at me that I just lifted up my skirt to give him a full view of my black Spanx,” she says. “It seemed like that was what he wanted to see.”
Dennedy tends to laughingly brush off the rude encounters she has with male counterparts, but not all women are so spunky. Many find the culture in the industry so uncomfortable that they leave altogether citing gender discrimination, lack of social change, or a lack of support for employers for advancement.
And even Dennedy, force of nature that she is, admits that being a woman has held her back; she has found it difficult to balance her career with raising two daughters and has struggled to find mentors.
“I’m exhausted,” she says. “I can act the clown and flash people to make a point, but I also feel completely isolated. I can’t discuss my problems with my girlfriends because they don’t understand what I do. Men don’t have that problem: they can find mentors who are going through the same things they are experiencing.”
Bringing a different approach
But bringing more women in the field isn't just about improving workplace culture, it's also about being better at confronting the Internet’s trickiest problems.
As more women enter the field, Dennedy hopes they will use the their skills to help the most vulnerable members of society who are being abused by nefarious online behavior. She points to the darkest corners of the Internet – revenge porn sites, prostitution rings, human trafficking, underaged porn – all of which disproportionately affect women.
“Technology can help here,” she says. “These are very complex things to solve, but we can begin to use image recognition technology to identify naked bodies, see where dirty money is passing hands, and de-index sites that are harmful.”
Ultimately, however, Dennedy argues that making the Internet a safer place for women requires deeper cultural change that is more likely to take place when women play a bigger role in governing and securing the Internet.“
When a community condemns something, there will always be outliers who violate that convention,” she says. “But the majority of the population will adhere to the norm. With more women in the field, we can help to shape what those norms and conventions will be.”